Privacy Policy
1. Data Controller
Online-Marketing Agentur E-Werkstatt e.U.
Absbergasse 29/1/56
1100 Vienna, Austria
VAT ID: ATU57197811
Email: buero@ewerkstatt.com
2. What Data We Process
2.1 Registration and Account
During registration, we collect the following data:
- Name and email address
- Company name and country
- VAT identification number (UID/VAT), if provided
- Password (stored as a hash – we cannot access your plaintext password)
This data is necessary to fulfil the contractual relationship with you and to grant you access to the platform.
Legal basis: Art. 6(1)(b) GDPR (performance of contract)
2.2 Teams and Shared Use
tellmio is designed as a team solution. Every user automatically creates a team upon registration. Additional people can be invited by email to join the team.
What data is shared within a team:
All members of a team see the same projects and can start analysis tasks. Projects and reports are not assigned to individual users but to the team as a whole. Invoices and credits are also managed at the team level.
Roles within a team:
There are two roles: Member and Team Leader. Team Leaders can edit team information, purchase credits, view invoices, invite new members, and suspend members. Multiple people can hold the Team Leader role simultaneously. A Team Leader can grant or revoke Team Leader status from other members.
Invitations:
Invitations are sent by email address. The system stores the invited email address, the time of the invitation, and a secure invitation token. Invitations are valid for 7 days. After expiry or acceptance, the token is deleted.
Suspension of members:
Team Leaders can suspend members, for example after the end of a working relationship. A suspension prevents new tasks from being started and deactivates the affected user's email delivery destinations. Login remains possible; the suspended user sees an information screen with the team's contact details. The following data is stored: time of suspension, the person who carried it out, and an optional reason. This data is only visible to Team Leaders and administrators.
Legal basis: Art. 6(1)(b) GDPR (performance of contract) and Art. 6(1)(f) GDPR (legitimate interest in organised collaboration and access control)
2.3 Connected Google Accounts (Google OAuth2)
tellmio allows you to connect your own Google accounts to the platform. The connection is established via Google's standardised OAuth2 procedure. You decide which Google accounts to connect and can disconnect them at any time in your account settings.
Permissions we request:
| Permission | Purpose |
|---|---|
| Google Analytics 4 (read access) | Retrieving website usage data for analysis tasks |
| Google Search Console (read access) | Retrieving search queries and visibility data |
| Google Ads (read access) | Retrieving campaign data and performance metrics |
| Google Drive (create/read own files) | Storing reports on your Google Drive, if activated by you |
| Google Profile (email, name) | Displaying the connected account in the user interface |
What we store:
- Email address and display name of the connected Google account
- Access token and refresh token – stored encrypted (AES-256-CBC)
- Expiry time of the access token
- Granted permissions (scopes)
- Connection status and connection timestamp
We only access data that is necessary for the analyses you have commissioned. Access is strictly read-only, except for Google Drive (where only files created by tellmio are stored).
Legal basis: Art. 6(1)(b) GDPR (performance of contract)
2.4 Project Data and Analysis Tasks
When you create a project and start an analysis task, we process:
- The website URL you have specified
- Content of your website that we retrieve for the analysis (website scraping – your own website only)
- Data from the connected Google services (GA4, Search Console, Google Ads) for the period of the task
- Your inputs for project configuration (campaign goals, target audiences, etc.)
This data is used exclusively for the purpose of generating the report you have commissioned.
Legal basis: Art. 6(1)(b) GDPR (performance of contract)
2.5 Technical Logging of Analysis Tasks
To ensure stable operation and to track system costs, technical metadata is logged for each analysis task. This includes: the start date and time of the task, the internal task type code, the number of credits consumed, the number of AI tokens processed, and the approximate cost of the AI model used.
Neither the person who commissioned the task nor the content of the analysis is stored. The log data does not allow any inference about specific campaign data, website content, or search queries.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in system stability and cost transparency)
2.6 AI-Powered Analysis
Your data is analysed using AI language models. The data relevant to the task (campaign data, website content, metrics) is transmitted to our AI service provider OpenRouter (Benutzerdef. Technologies Inc., USA).
OpenRouter forwards the requests to the AI models selected by you or us (e.g. Google Gemini or Anthropic Claude). No data is permanently stored by OpenRouter or used to train models. OpenRouter has assumed data protection obligations towards us (Data Processing Agreement, incorporated into the OpenRouter Terms of Service).
As OpenRouter is based in the USA, this constitutes a transfer to a third country within the meaning of Art. 44 et seq. GDPR. This transfer is based on the EU Standard Contractual Clauses (SCCs).
Legal basis: Art. 6(1)(b) GDPR (performance of contract)
2.7 Payments and Invoices
Payments are processed via Mollie B.V. (Amsterdam, Netherlands). When making a purchase, your payment data is transmitted directly to Mollie. We do not store credit card numbers or bank details.
We store the following invoice data:
- Invoice number, invoice date, service period
- Invoice amount, tax rate, tax amount
- Billing address of the team (company name, VAT ID, address)
Invoices are stored as PDFs on our file storage (Wasabi S3, data centre Central Europe 2 / Frankfurt).
Retention period: Invoice records are retained for 7 years in accordance with § 132 of the Austrian Federal Tax Code (BAO) and deleted thereafter.
Legal basis: Art. 6(1)(c) GDPR (legal obligation) in conjunction with § 132 BAO
2.8 Report Delivery
Completed reports can optionally be delivered to various destinations that you configure yourself:
- Email: Report is sent to your registered email address
- Wasabi S3 (own bucket): Storage in your own cloud storage
- Dropbox: Storage in your Dropbox account (connected via Dropbox OAuth2)
- Google Drive: Storage in your Google Drive (via connected Google account)
- Slack: Transmitted to a Slack webhook configured by you
The transmission of data to these destinations occurs exclusively on your instruction and configuration. You are responsible for the security and accessibility of these destinations.
Legal basis: Art. 6(1)(b) GDPR (performance of contract)
2.9 Technical Connection Data
With every page request, technical data is automatically transmitted and briefly stored in server logs:
- IP address (truncated)
- Date and time of access
- Requested URL
- Browser type and operating system (from the user agent)
- HTTP status code
This data is used exclusively to ensure operation and for error analysis, and is deleted after at most 30 days.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation)
3. Data Processing Agreement (DPA)
To the extent that we process your data on your behalf – in particular the data of your connected Google accounts and your analysis tasks – we act as your data processor within the meaning of Art. 28 GDPR. This Privacy Policy, together with our Terms of Service, fulfils the requirements of a data processing agreement.
You remain the data controller for the data you have us analyse via tellmio. We process this data exclusively on your instruction (by starting tasks in the application) and for no other purpose.
4. Third-Party Disclosure and Processors
We only share your data where this is necessary to fulfil the contract. The following service providers process data on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database operations (PostgreSQL) | AWS eu-west-1, Ireland |
| Wasabi Technologies LLC | File storage (reports, invoices) | Central Europe 2, Frankfurt |
| n8n GmbH | Workflow automation (analysis tasks) | Azure Germany West Central, Frankfurt |
| Mollie B.V. | Payment processing | Amsterdam, Netherlands |
| OpenRouter (Benutzerdef. Technologies Inc.) | AI analysis | USA (safeguarded by SCCs) |
All service providers have been carefully selected and have assumed data protection obligations towards us.
5. International Data Transfers
Some of our service providers are based outside the EU/EEA (third countries):
- OpenRouter (USA): Data transfer on the basis of EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR.
- Supabase: Database servers in AWS eu-west-1 (Ireland, within the EU). Supabase Inc. is based in the USA; data transfer on the basis of SCCs.
6. Retention Periods
| Data category | Retention period |
|---|---|
| Account data | Until account deletion + 30-day grace period |
| Google OAuth tokens | Until the connection is disconnected or the account is deleted |
| Analysis results (reports) | Until manually deleted or account deletion |
| Technical task logs | 12 months |
| Invitation tokens | 7 days or until the invitation is accepted |
| Invoices | 7 years (statutory retention obligation, § 132 BAO) |
| Server logs | Maximum 30 days |
| Payment transaction IDs | 7 years (statutory tax obligation) |
If a team is paused by the Team Leader, all data belonging to that team will be permanently deleted after 30 days unless the team is reactivated beforehand. Invoices are exempt from this deletion and will continue to be retained in accordance with the statutory retention obligation.
After the respective period has elapsed, data is permanently deleted.
7. Your Rights as a Data Subject
You have the following rights against us:
- Access (Art. 15 GDPR): You may request information about the data we store about you at any time.
- Rectification (Art. 16 GDPR): You may have inaccurate data corrected.
- Erasure (Art. 17 GDPR): You may request the deletion of your data, to the extent that no statutory retention obligations apply.
- Restriction of processing (Art. 18 GDPR): You may request restriction of the processing of your data in certain circumstances.
- Data portability (Art. 20 GDPR): You may receive your data in a machine-readable format.
- Objection (Art. 21 GDPR): You may object to processing based on legitimate interests.
To exercise your rights, please contact: buero@ewerkstatt.com
We will respond to requests within 30 days.
8. Right to Lodge a Complaint
You have the right to lodge a complaint with the Austrian Data Protection Authority:
Österreichische Datenschutzbehörde (Austrian Data Protection Authority)
Barichgasse 40–42
1030 Vienna, Austria
Email: dsb@dsb.gv.at
Web: dsb.gv.at
9. Cookies and Technical Storage
tellmio uses exclusively technically necessary cookies without which the application cannot function:
| Cookie | Purpose | Retention |
|---|---|---|
| Session cookie | Maintaining login status | Browser session / until sign-out |
| CSRF token | Protection against cross-site request forgery attacks | Browser session |
We do not use tracking cookies, analytics cookies, or advertising cookies. Cookie consent is therefore not required.
10. Data Security
All connections to the platform are encrypted using TLS (HTTPS). API credentials (Google OAuth tokens) are stored encrypted in the database (AES-256-CBC). Passwords are stored exclusively as bcrypt hash values.
11. Web Analytics
Consent Management (Cookiebot)
This website uses Cookiebot, a service of Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark, to manage cookie consents.
Cookiebot stores your consent status in a cookie named CookieConsent in your browser. This cookie has a lifespan of 12 months. It contains no personal data other than your consent decision and the date and time of your consent.
On your first visit to the website, Cookiebot loads a connection to Cybot A/S's servers to retrieve your current consent status. Your IP address is transmitted to Cybot A/S during this process. Cybot A/S processes this data exclusively to provide the consent management service. The data is not used for advertising purposes and is not shared with third parties.
The legal basis for this processing is Art. 6(1)(c) GDPR (legal obligation to maintain verifiable consent).
For more information, see Cybot A/S's Privacy Policy: cookiebot.com/en/privacy-policy/
Google Tag Manager
This website uses Google Tag Manager, a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google Tag Manager itself does not set cookies and does not transmit personal data. It merely manages other tags (e.g. analytics and marketing scripts) that are embedded on the website. These tags are only activated when you have given your corresponding consent via the Cookiebot banner.
For more information: marketingplatform.google.com/about/analytics/tag-manager/use-policy/
Google Analytics 4
This website uses Google Analytics 4, a web analytics service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
Google Analytics 4 anonymously collects information about how visitors use the website – for example, which pages are viewed, how long visits last, and which regions the visits come from. The data collected is stored on Google's servers in the USA. Google LLC is certified under the EU-US Data Privacy Framework, ensuring an adequate level of data protection.
IP addresses are anonymised by Google Analytics 4 by default before being stored (IP anonymisation is no longer separately configurable in GA4 – it is built in).
Google Analytics 4 is integrated via Google Tag Manager and is only activated when you have consented to the "Statistics" category in the Cookiebot banner.
The legal basis for this processing is Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time by opening the cookie settings via the "Cookie Settings" link at the bottom of the page and disabling the "Statistics" category.
For more information on how Google processes data: policies.google.com/privacy
12. Changes to this Privacy Policy
We reserve the right to update this Privacy Policy as needed – for example, if legal requirements change or we introduce new features. The current version is always available at tellmio.app/privacy. We will notify you by email of any material changes.